[MDEV-10113] Connecting to MARIADB from an application server Created: 2016-05-24 Updated: 2017-05-29 |
|
| Status: | Open |
| Project: | MariaDB Server |
| Component/s: | Authentication and Privilege System |
| Fix Version/s: | None |
| Type: | Task | Priority: | Minor |
| Reporter: | Nicholas Denning | Assignee: | Unassigned |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | None | ||
| Description |
|
Historically in application servers and TP monitors all the application servers connect using a data source with the user name and password defined in the data source. thus all transactions are carried out by a single user regardless of the actual user logged in to the application server. I want to connect from either or both of Tomcat and JBOSS to mariadb passing the credentials of the user to mariadb so that the connection then takes on all the rights and privileges of the connected user, but I cannot see how to do this. Historically when building an application using WebSphere and DB2 I can define a data source in websphere that is what is called a trusted connection. When WebSphere connects to DB2 it uses the trusted connection and DB2 automatically switches to the named user. We have configured tomcat to use an LDAP server, we have configured Mariadb and pam to use the same common LDAP server but we have got stuck at the last leg as we cannot see any way to define a data source that will allow the credentials to be passed. We can see the AlternateUsernameAllowed but we think that only applies to a getConnection(username,password) where you know the user password, which of course we dont because that is locked in the ldap server. would it be possible to have a facility in mariadb where an appropriately priviliged user can have a command such as CHANGE USER 'username'; The ideal scenario would be if there could be a transparent handshake within tomcat and mariadb so that when using an appropriate datasource the connection was automatically changed to the tomcat user. As an alternative, we know the current user who has logged into tomcat and we can pass this to the servlet which could then change the user to the tomcat logged in user. However this relies on user coding so could be subverted with a rogue servlet or an applicatoin bug. |
| Comments |
| Comment by Daniel Black [ 2016-05-25 ] |
|
does Kerberos/GSSAPI help? https://mariadb.com/kb/en/mariadb/gssapi-authentication-plugin (added with |
| Comment by Sergei Golubchik [ 2016-05-25 ] |
|
There is a COM_CHANGE_USER protocol command and a mysql_change_user() API function, but they requires credentials of the new user, as they go through a full authentication process. Is that what you mean? |
| Comment by Nicholas Denning [ 2016-05-26 ] |
|
No, its rather the ability to use something similar to the DB2 TRUSTED CONTEXT object and then be able to define the use of the trusted context in the data source. thus the database connection automatically switches to the user when the getconnection() is called. |
| Comment by Daniel Black [ 2016-05-26 ] |
|
DB TRUSTED CONTEXT object conceptually sounds like the kerberos token for authentication. |
| Comment by Sergei Golubchik [ 2016-05-30 ] |
|
Yes, this could be rather easily solved by an authentication plugin. For example, Kerberos, as danblack, wrote, or a dedicated plugin that authenticates your application server and allows it to change the identity to any user. |